Quantitative Model for Economic Analyses of Information Security Investment in an Enterprise Information System

摘要

The paper presents a mathematical model for the optimal security-technology investment evaluation and decision-making processes based on the quantitative analysis of security risks and digital asset assessments in an enterprise. The model makes use of the quantitative analysis of different security measures that counteract individual risks by identifying the information system processes in an enterprise and the potential threats. The model comprises the target security levels for all identified business processes and the probability of a security accident together with the possible loss the enterprise may suffer. The selection of security technology is based on the efficiency of selected security measures. Economic metrics are applied for the efficiency assessment and comparative analysis of different protection technologies. Unlike the existing models for evaluation of the security investment, the proposed model allows direct comparison and quantitative assessment of different security measures. The model allows deep analyses and computations providing quantitative assessments of different options for investments, which translate into recommendations facilitating the selection of the best solution and the decision-making thereof. The model was tested using empirical examples with data from real business environment.%Povzetek: V prispevku je predstavljen matematični model za vrednotenje naložb v varnostne tehnologije in odločitvene procese na podlagi kvantitativne analize varnostnih tveganj ter različnih varnostnih ukrepov, ki zmanjšujejo posamezna tveganja. Za vse ugotovljene poslovne procese se določijo zelene stopnje varnosti, verjetnost za varnostni incident ter morebitna izguba, ki jo lahko utrpi podjetje. Izbor varnostne tehnologije temelji na učinkovitosti izbranih varnostnih ukrepov, pri čemer se za ocenjevanje učinkovitosti in primerjalno analizo različnih varnostnih tehnologij uporabljajo ekonomski kazalci. Za razliko od obstoječih modelov za oceno naložb v informacijsko varnost, omogoča predlagani model neposredno primerjavo in kvantitativno oceno različnih varnostnih ukrepov. Model omogoča podrobno analizo kvantitativnih ocen za različne vrste naložb, ter podaja priporočila, ki omogočajo izbiro optimalne varnostne rešitve. Model je bil testiran z uporabo praktičnih primerov s podatki iz realnega poslovnega okolja.